This article was originally published on AI Study Room. For the full version with working code examples and related articles, visit the original post.

Database Security Hardening Guide

Database security is a critical component of any organization's security posture. Databases store the most valuable data: customer records, financial data, intellectual property, and credentials. This guide covers the key security practices including encryption, access control, network isolation, and secret management.

Encryption at Rest

Encryption at rest protects data stored on disk. If an attacker gains access to the underlying storage, encrypted data remains unreadable without the encryption key.

Transparent Data Encryption (TDE)

TDE encrypts database files automatically. The database engine handles encryption and decryption transparently.

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\-- PostgreSQL: Enable TDE with pg_tde extension

CREATE EXTENSION pg_tde;

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\-- Create an encrypted table

CREATE TABLE customers (

id SERIAL PRIMARY KEY,

name TEXT,

email TEXT,

ssn TEXT

) USING tde;

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\-- MySQL: Enable InnoDB tablespace encryption

CREATE TABLE orders (

order_id INT PRIMARY KEY,

customer_id INT,

amount DECIMAL(10,2)

) ENCRYPTION='Y';

Application-Level Encryption

For maximum protection, encrypt sensitive columns at the application level. The database never sees the plaintext.

Application-level encryption with AWS KMS

import boto3

from cryptography.fernet import Fernet

def encrypt_column(plaintext, kms_key_id):

Generate a data key from KMS

kms = boto3.client('kms')

response = kms.generate_data_key(

KeyId=kms_key_id,

KeySpec='AES_256'

)

data_key = response['Plaintext']

encrypted_key = response['CiphertextBlob']

Encrypt the data with the data key

f = Fernet(base64.urlsafe_b64encode(data_key))

ciphertext = f.encrypt(plaintext.encode())

return ciphertext, encrypted_key

def decrypt_column(ciphertext, encrypted_key):

kms = boto3.client('kms')

response = kms.decrypt(CiphertextBlob=encrypted_key)

data_key = response['Plaintext']

f = Fernet(base64.urlsafe_b64encode(data_key))

return f.decrypt(ciphertext).decode()

Key Management for Encryption at Rest

• Use a dedicated key management service (AWS KMS, Azure Key Vault, GCP Cloud KMS).

• Separate encryption keys by environment (dev, staging, production).

• Enable automatic key rotation (yearly or more frequently).

• Implement key access auditing to detect unauthorized use.

Encryption in Transit

Encryption in transit protects data as it travels between the database and clients.

TLS Configuration

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\-- PostgreSQL: Require TLS for all connections

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\-- In postgresql.conf

ssl = on

ssl_cert_file = '/etc/ssl/certs/server.crt'

ssl_key_file = '/etc/ssl/private/server.key'

ssl_ca_file = '/etc/ssl/certs/ca.crt'

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\-- In pg_hba.conf

Require TLS for all connections

hostssl all all 0.0.0.0/0 md5

MySQL: Require TLS

[mysqld]

require_secure_transport = ON

ssl_ca = /etc/ssl/certs/ca.pem

ssl_cert = /etc/ssl/certs/server-cert.pem

ssl_key = /etc/ssl/private/server-key.pem

Best practices :

• Enforce TLS for all database connections.

• Use TLS 1.2 or 1.3. Disable older versions.

• Validate certificates on both client and server.

• Rotate certificates before expiry.

• Use client certificates for mutual TLS authentication.

Row-Level Security (RLS)

RLS restricts which rows a user can access based on a policy. It implements multi-tenancy and data isolation at the database level.

PostgreSQL Row-Level Security

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

---

Read the full article on AI Study Room for complete code examples, comparison tables, and related resources.

Found this useful? Check out more developer guides and tool comparisons on AI Study Room.